0

I am trying to dump a variable from a syscall probe in a systemtap script:

probe syscall.execve
{
  printf("ARGS: %s\n", argstr)
  print($envp)
  print("\n")
}

After running a program under systemtap like this

sudo stap -vv -W script.stp -c ./run.sh -o log.txt

I get something similar to the following (in log.txt):

ARGS: "some-binary-name", ["arg1", "arg2"], [/* 6 vars */]
140089557153664

Unfortunately, the [/* 6 vars */] string is literally what I get in the log instead of the actual contents of $envp. And when I try to output $envp using print, I get some numeric value (which is probably the address of the array) instead of the array elements.

How do I dump the actual strings that are stored in $envp?

Mikhail Maltsev
  • 1,632
  • 11
  • 21

1 Answers1

1

The syscall.execve probes export the env_str script variable, which in modern systemtap (3.2 here) contain the whole environment string, up to the MAXSTRINGLEN limit:

 # stap -e 'probe syscall.execve { println(env_str)}'
 ["XDG_SEAT=seat0", "XDG_SESSION_ID=1", "WINDOWPATH=1", "DISPLAY=:0.0", "SYSTEMTAP_SYNC=1", "TMPDIR=/var/tmp", "HOSTNAME=very.elastic.org", "QTLIB=/usr/lib64/qt-3.3/lib", "COLORTERM=truecolor", "LOGNAME=fche", "MODULESHOME=/usr/share/Modules", "VISUAL=vi", "XORG_RUN_AS_USER_OK=1", "SHELL=/bin/zsh", "SCGCINFO=1", "PATH=/home/fche/bin:/home/fche/bin:/home/fche/bin:/usr/libexec/python2-sphinx:/usr/lib64/qt-3.3/bin:/usr/lib64/ccache:/home/fche/bin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/home/fche/bin:/usr/loca

Another method is to use the env_var function to fetch a particular environment variable from the current process. See man function::env_var:

# stap -e 'probe syscall.execve { println(env_var("PATH")) }'
/home/fche/bin:/usr/libexec/python2-sphinx:/usr/lib64/qt-3.3/bin:/usr/lib64/ccache:/home/fche/bin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/home/fche/bin:/usr/local/sbin:/usr/sbin:/sbin
fche
  • 2,641
  • 20
  • 28